International and Foreign Cyberspace Law Research Guide

This guide covers resources on various aspects of cyberspace law, including Internet governance, electronic commerce, privacy, cyber crime, cyber warfare, and cyber terrorism.

Primary Sources of E.U. Data Protection & Privacy Law

The E.U. has been a pioneer in the fields of data protection and online privacy, having first enacted legislation more than 20 years ago. It recently completed a major reform of its data protection framework, which is intended to enhance protections for individuals, provide a single set of harmonized rules for businesses, and simplify procedures for transferring data outside the E.U.
 

Current E.U. Data Protection & Privacy Legislation

Listed below are some of the most important pieces of E.U. legislation on data protection and privacy which are in force as of November 2022.

Prior E.U. Legislation No Longer in Force

The following legislation is no longer in force but may be of interest for historical research.

Explanatory Notes on E.U. Legislation

For those unfamiliar with the different types of E.U. legislation, the following definitions are provided:

  • Regulations are binding legislative acts of general application that must be complied with upon entry into force by each member state. They supersede any conflicting national laws.
     
  • Directives are binding legislative acts of general application that establish a goal or objective. Member states must enact legislation to implement a directive by a specified date, a process known as transposition.
     
  • Decisions are legislative acts issued by the Council of the E.U. or by the European Commission that bind only those governments, companies, or individuals to whom they are addressed.
     

E.U. Charter of Fundamental Rights

The Charter of Fundamental Rights enshrines within a single document the political, social, and economic rights protected by the E.U. It applies to both the E.U. as an institution and to its members states when they implement E.U. law. E.U. courts are empowered to strike down legislation and official actions that are inconsistent with the Charter.

The full text of the Charter is available for download as a PDF. Relevant provisions of the Charter include Article 7 (respect for private and family life), Article 8 (protection of personal data), and Article 11 (freedom of expression and information).
 

E.U. Case Law

E.U. courts are generating a growing body of case law involving privacy and data protection, most notably the judgment in Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014), also known as the “right to be forgotten” case. 

To search by keyword for E.U. case law on privacy and data security, use the EUR-Lex database’s Advanced Search tool and select EU law and case-law→Case-law from the Collection menu in the center of the page to limit your search to cases. Searchable databases of E.U. case law also are available on Lexis and Westlaw.

Additional Resources on E.U. Data Protection

E.U. Data Protection Portal
The European Commission, the executive arm of the E.U., maintains this convenient gateway for information about the E.U.’s data protection and privacy law. Relevant sections include:

European Data Protection Board: Directory of National Data Protection Authorities
The EDPB maintains this page with links to and contact information for the national data protection authorities of E.U. and EEA members.

Secondary Sources of E.U. Data Protection & Privacy Law